Side effects of enabling CAP_SYS_TIME inside VE [message #20364] |
Mon, 17 September 2007 11:08 |
piavlo
Messages: 159 Registered: January 2007
|
Senior Member |
|
|
Hi,
I get a strange behaviour inside VE then i enable CAP_SYS_TIME
for a specific VE with "vzctl set <VEID> --capability sys_time:on"
Then CAP_SYS_TIME is disabled inside VE and i try to run ntpd
with -u ntp:ntp to drop root privileges, ntpd fails to start with error message:
ntpd[8176]: cap_set_proc() failed to drop root privileges: Operation not permitted
Then i enable the CAP_SYS_TIME inside the VE so that ntpd
could change system time, the side effect is that ntpd
also succeedes to drop root privileges and runs as ntp user.
Why is this so? Why enabling CAP_SYS_TIME also allows dropping root privileges?
Thanks
Alex
[Updated on: Mon, 17 September 2007 11:08] Report message to a moderator
|
|
|